Forum Discussion
Nfordhk_66801
Feb 25, 2015Nimbostratus
Those numbers don't increment at all. I even copied and paste the name. I added the logging
when RULE_INIT {
set static::THIS_DOMAIN ".insertdomain.com"
log local0.
}
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "get_computer_name" } {
log local0.
set computer [string tolower [ACCESS::session data get "session.windows_info_os.last.computer"]]
foreach x [split $computer "|"] {
if { $x ends_with $static::THIS_DOMAIN } {
set machinename [lindex [split $x "."] 0]
ACCESS::session data set session.custom.computer $machinename
return
}
}
}
}
I think this is all it gave:
Feb 25 14:13:33 nho-bigip-test info tmm[14917]: 01220002:6: Rule /Common/get_computer_name : local0.
Feb 25 14:13:33 nho-bigip-test info tmm1[14917]: 01220002:6: Rule /Common/get_computer_name : local0.
- Seth_CooperFeb 25, 2015EmployeePlease update the log statements to help determine where the iRule is getting to... log local0. “ACCESS_POLICY_AGENT_EVENT before if” log local0. “ACCESS_POLICY_AGENT_EVENT after if” Place these at different places to see what is getting fired and what isn't getting fired. Just to confirm... you did add the iRule to the Virtual Server that the APM policy is tied to? Seth
- Nfordhk_66801Feb 25, 2015NimbostratusDoh! Sorry Seth, I wasn't aware it still needed to be applied to the VS in this scenario. I went ahead and did that. I see tons more information in the logs now. Still failing access but now the iRules are executing. Also there is no more blank fields for the AD query portion. I see the correct DN for the server, it's matching my branch rule. Not sure why it would be failing here.
- Nfordhk_66801Feb 25, 2015Nimbostratusi'll add the irule logs and paste the results
- Seth_CooperFeb 26, 2015EmployeeNow that the iRule is working and the ad query is running what is populated in session.ad.last.attr.memberOf and what does your branch rule look like? Seth
- Nfordhk_66801Feb 26, 2015NimbostratusI do not see that string for "session.ad.last.attr.memberOf" anywhere. Although your previous comment mentioned session.windows_info_os.last.computer. Did you mean that?
- Seth_CooperFeb 26, 2015Employee"session.windows_info_os.last.computer" is needed for the iRule to parse the string and then create the variable "session.custom.computer" with the computer name that is passed into the AD Query. The result from the AD Query should be a lot of session variables (session.ad.last.attr.*). One of these variables will be memberOf which is what contains the groups that we are going to check against to see if the computer has access or not. If you post a qkview to iHealth I can look at it.
- Nfordhk_66801Mar 02, 2015NimbostratusI uploaded it. Do you work for F5? How do you see it?
- Seth_CooperMar 02, 2015EmployeeHi, Yes I work for F5 so I can see into the iHealth Database. I don't see anything wrong with the configuration. Can you turn up logging on the Access Policy (under system, logs) to Informational? This will let you see more of what is going on in the /var/log/apm log file. The information you see should help you troubleshoot this. Seth
- Nfordhk_66801Mar 02, 2015NimbostratusAll the LTM is stating is showing the log comments. The iRule is executing successfully it seems. No mention of anything AD query related